Manual OpenCA

Administer OpenCA, the initialization of an Installed CA

Note: the administration URLs are only available to a browser running on the LiveCD machine. Console-only URLs are indicated as "localhost"; network accessible URLs are indicated as openca-livecd.dhcp-subdomain.your.domain

The OpenCA interface uses frames organized as tabs, with menus leading to pages within the tabs. Below, we will mark Tabs in bold, and Menu Items with emphasis. After executing a given operation, it may be necessary to reselect the Menu Item to advance to the next step. Several of the URLs referenced are available in the bookmarks pane to the left in the Mozilla installed on the CD.

Configure an installed/compiled OpenCA installation

1. Connect to the ca: http://localhost/ca/ A series of tabs will be visible. Select General tab, and the Initialization item within it. That will bring up the "OpenCA Init" page with several links on it, organized into 3 phases (click the link for each phase to get to its operations).

Phase I:Initialize the Certification Authority

2. Click on Initialize the Certification Authority. This brings up the "Init Certification Authority" page.

3. Click on Initialize Database This step should report sucess. Return to the "Init Certification Authority" using the Back button.

4. Click on Generate new CA secret key. This brings up the "Get Additional Parameters" page. The default values are

o Encryption algorithm (des,des3,idea):des3

o Asymmetric algorithm (rsa, dsa):rsa

o CA key size (in bits):4096

Click "OK"

5. Enter the CA Certificate Private Key password on the CA Token Login page. This password will protect the CA private key, and must be entered to operate the CA. After entering your password, click "OK". The server will create a key pair based on the parameters you entered; this may take a few moments. When key generation is complete, a screen will display the key. Click "OK". Return to "Init Certification Authority" page.

6. Click on Generate new CA Certificate Request (use generated secret key). Fill in the parameters as needed for your installation. Click "OK", and confirm the DN generated from the parameters. The OpenSSL configuration for in the LiveCD install matches these items. You will be prompted to enter your credentials, meaning the private key password you generated in the previous step. Return to "Init Certification Authority" page.

7. Click on Self Signed CA Certificate (from already generated request). You will be prompted to confirm the validity period for the CA, as well as to confirm you credentials (the private key password). Return to "Init Certification Authority" page.

8. Click on Rebuild CA Chain. You should get a response confirming success.

9. Click on Export Configuration. Click "OK" to the prompt about providing a support; this install of OpenCA needs no additional support. You should get a response confirming success.

Phase II:Create the initial administrator

10. Click on Create the initial CA certificate This brings up the "Init First User" page. This step creates a certificate (and key pair) to identify the CA Administrator.

11. Click on Create a new request. Fill in the Certificate/User data as desired. The Role should be "CA Operator". The PIN will be used to protect the private key of this certificate on the server. Confirm the data has been entered. There is no need to print the information. Return to the "Init First User" page

12. Click on Edit the request. Click on "Submit the changed request" at the bottom (even though you didn't change the request). Click on "Issue Certificate" at the bottom. You will be prompted to confirm you credentials (the private key password). Return to the "Init First User" page

13. Click on Handle the request. Select the "Certificate and Keypair" as p12 in the "Operations" section, and click on "Download". You will be prompted for the private key password for this certificate, which was generated as the PIN above. The p12 will be saved, and can be imported into the browser for use later.

Phase III:Create the initial RA certificate

14. Click on Create the initial RA certificate This brings up the "Init First User" page. This step creates a certificate (and key pair) to identify the RA Administrator.

15. Click on Create a new request. Fill in the Certificate/User data as desired. The Role should be "RA Operator". The PIN will be used to protect the private key of this certificate on the server. Confirm the data has been entered. There is no need to print the information. Return to the "Init First User" page

16. Click on Edit the request. Click on "Submit the changed request" at the bottom (even though you didn't change the request). Click on "Issue Certificate" at the bottom. You will be prompted to confirm you credentials (the private key password). Return to the "Init First User" page

17. Click on Handle the request. Select the "Certificate and Keypair" as p12 in the "Operations" section, and click on "Download". You will be prompted for the private key password for this certificate, which was generated as the PIN above. The p12 will be saved, and can be imported into the browser for use later.

Initialize the RA

18. Connect to the ra-node: http://localhost/ra-node/ A series of tabs will be visible. Select Administration tab, and the Server Init item within it. That will bring up the "Init New Node" page with two links on it.

19. Click on Import Configuration under "PKI Setup". This step should report sucess after prompting for confirmation. An error message about being unable to insert object, but object is already present is expected and acceptable. This step makes the CA certificate available to the RA and public users.

________________________________________

Issue a User Certificate

Submit a Certificate Request

The OpenCA-LiveCD tries to register itself on the network as "openca-livecd.dhcp-subdomain.your.domain". If this fails, you may need to target it via IP address. The ifconfig command in a shell window is helpful to determine the ip address.

1. Connect to openca-livecd.dhcp-subdomain.your.domain/pub

2. Select the User tab, and the Request a Certificate item. This brings up the "Request a certificate" page.

3. Click on Request a certificate with automatic browserdetection. This brings up the "Basic

...